enigma binary

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

enigma binary

Nick Edwards
Hi There,

For security purposes we disable paths and functions, is there a way we can enable the pgp binary if we move it to the enigma home directory?

Class 'enigma_driver_gpg' not found in ....  is the error we keep getting.
after changing  lib/Crypt/GPG/Engine.php tp look in its home by use of full path to be allowed to bypass our restriction with openbasedirs which naturally does not permit access to system binary directories.

We have also
disable_functions = exec, shell_exec, system, virtual, show_source, passthru, escapeshellcmd, proc_open, popen, pclose, phpinfo, parse_ini_file, eval

I was sure there was a way to tell apache to use php admin value to allow things but cant find references to my problem (which may not even be the actual problem? ) I am only guessing.

We do not want to remove the above restrictions in case one day a zero day is found and can be exploited, I am not permitted to relax.

Nik


_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: enigma binary

A.L.E.C
On 07/20/2016 09:40 AM, Nick Edwards wrote:
> For security purposes we disable paths and functions, is there a way we
> can enable the pgp binary if we move it to the enigma home directory?

You can already set path to gpg binary via enigma_pgp_binary option.
However, for GnuPG 2.x you'll need to set also gpg-agent path which is
not yet supported by config option. You'd need to set $options['agent']
around
https://github.com/roundcube/roundcubemail/blob/master/plugins/enigma/lib/enigma_driver_gnupg.php#L87

> We have also
> disable_functions = exec, shell_exec, system, virtual, show_source,
> passthru, escapeshellcmd, proc_open, popen, pclose, phpinfo,
> parse_ini_file, eval

Crypt_GPG uses proc_open().

--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer        [http://kolab.org]
Roundcube Webmail Developer  [http://roundcube.net]
---------------------------------------------------
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: enigma binary

Nick Edwards
Hi Alec,


// Enigma Plugin options
// --------------------

// A driver to use for PGP. Default: "gnupg".
$rcmail_config['enigma_pgp_driver'] = 'gnupg';

// A driver to use for S/MIME. Default: "phpssl".
$rcmail_config['enigma_smime_driver'] = 'phpssl';

// Keys directory for all users. Default 'enigma/home'.
// Must be writeable by PHP process
$rcmail_config['enigma_pgp_homedir'] = null;

$rcmail_config['enigma_pgp_binary'] = '/opt/webmail/plugins/enigma/gpg';

^^^^^^^  This doesn't seem to change anything?

[Thu Jul 21 13:44:54.060378 2016] [:error] [pid 6431:tid 2843577200] [client ] PHP Warning:  is_executable(): open_basedir restriction in effect. File(/usr/bin/gpg) is not within the allowed path(s): ( bunch of paths) in /opt/webmail/plugins/enigma/lib/Crypt/GPG/Engine.php on line 1651, referer: https://xxxxxxxxxxxx/?_task=settings&_action=plugin.enigmakeys

repeat this with attempt at /usr/local/bin/gpg

then

[Thu Jul 21 13:44:54.093373 2016] [:error] [pid 6431:tid 2843577200] [client ] PHP Fatal error:  Call to undefined method Crypt_GPG_SubKey::usage() in /opt/webmail/plugins/enigma/lib/enigma_driver_gnupg.php on line 437, referer: https://xxxxxxxxxxxxxx/?_task=settings&_action=plugin.enigmakeys

we are using gnupg 1.4.x


On Wed, Jul 20, 2016 at 5:52 PM, A.L.E.C <[hidden email]> wrote:
On 07/20/2016 09:40 AM, Nick Edwards wrote:
> For security purposes we disable paths and functions, is there a way we
> can enable the pgp binary if we move it to the enigma home directory?

You can already set path to gpg binary via enigma_pgp_binary option.
However, for GnuPG 2.x you'll need to set also gpg-agent path which is
not yet supported by config option. You'd need to set $options['agent']
around
https://github.com/roundcube/roundcubemail/blob/master/plugins/enigma/lib/enigma_driver_gnupg.php#L87

> We have also
> disable_functions = exec, shell_exec, system, virtual, show_source,
> passthru, escapeshellcmd, proc_open, popen, pclose, phpinfo,
> parse_ini_file, eval

Crypt_GPG uses proc_open().

--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer        [http://kolab.org]
Roundcube Webmail Developer  [http://roundcube.net]
---------------------------------------------------
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users


_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: enigma binary

Nick Edwards
After sorting out proc_open but changing to suhosin blacklist instead native php disable, things progressed, however
just wiped out the config and used fresh, with and without $rcmail_config or $config...  I clearly have wrong option idea for the path to it as roundcube error now says binary not found, is $config['enigma_pgp_binary'] = 'path/file'; actually the right entry to use?




On Thu, Jul 21, 2016 at 1:52 PM, Nick Edwards <[hidden email]> wrote:
Hi Alec,


// Enigma Plugin options
// --------------------

// A driver to use for PGP. Default: "gnupg".
$rcmail_config['enigma_pgp_driver'] = 'gnupg';

// A driver to use for S/MIME. Default: "phpssl".
$rcmail_config['enigma_smime_driver'] = 'phpssl';

// Keys directory for all users. Default 'enigma/home'.
// Must be writeable by PHP process
$rcmail_config['enigma_pgp_homedir'] = null;

$rcmail_config['enigma_pgp_binary'] = '/opt/webmail/plugins/enigma/gpg';

^^^^^^^  This doesn't seem to change anything?

[Thu Jul 21 13:44:54.060378 2016] [:error] [pid 6431:tid 2843577200] [client ] PHP Warning:  is_executable(): open_basedir restriction in effect. File(/usr/bin/gpg) is not within the allowed path(s): ( bunch of paths) in /opt/webmail/plugins/enigma/lib/Crypt/GPG/Engine.php on line 1651, referer: https://xxxxxxxxxxxx/?_task=settings&_action=plugin.enigmakeys

repeat this with attempt at /usr/local/bin/gpg

then

[Thu Jul 21 13:44:54.093373 2016] [:error] [pid 6431:tid 2843577200] [client ] PHP Fatal error:  Call to undefined method Crypt_GPG_SubKey::usage() in /opt/webmail/plugins/enigma/lib/enigma_driver_gnupg.php on line 437, referer: https://xxxxxxxxxxxxxx/?_task=settings&_action=plugin.enigmakeys

we are using gnupg 1.4.x


On Wed, Jul 20, 2016 at 5:52 PM, A.L.E.C <[hidden email]> wrote:
On 07/20/2016 09:40 AM, Nick Edwards wrote:
> For security purposes we disable paths and functions, is there a way we
> can enable the pgp binary if we move it to the enigma home directory?

You can already set path to gpg binary via enigma_pgp_binary option.
However, for GnuPG 2.x you'll need to set also gpg-agent path which is
not yet supported by config option. You'd need to set $options['agent']
around
https://github.com/roundcube/roundcubemail/blob/master/plugins/enigma/lib/enigma_driver_gnupg.php#L87

> We have also
> disable_functions = exec, shell_exec, system, virtual, show_source,
> passthru, escapeshellcmd, proc_open, popen, pclose, phpinfo,
> parse_ini_file, eval

Crypt_GPG uses proc_open().

--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer        [http://kolab.org]
Roundcube Webmail Developer  [http://roundcube.net]
---------------------------------------------------
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users



_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: enigma binary

A.L.E.C
On 07/21/2016 07:02 AM, Nick Edwards wrote:
> After sorting out proc_open but changing to suhosin blacklist instead
> native php disable, things progressed, however
> just wiped out the config and used fresh, with and without
> $rcmail_config or $config...  I clearly have wrong option idea for the
> path to it as roundcube error now says binary not found, is
> $config['enigma_pgp_binary'] = 'path/file'; actually the right entry to use?

Yes, are you using git-master version? The option does not exist in 1.2.0.

>     [Thu Jul 21 13:44:54.093373 2016] [:error] [pid 6431:tid 2843577200]
>     [client ] PHP Fatal error:  Call to undefined method
>     Crypt_GPG_SubKey::usage() in

You need more recent Crypt_GPG package.

--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer        [http://kolab.org]
Roundcube Webmail Developer  [http://roundcube.net]
---------------------------------------------------
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: enigma binary

Nick Edwards
ARG, no this is production servers so of course  'm only running stable release 1.2.0

I think we'll downgrade to 1.1.x again, since several of our plugins dont work with 1.2, and enigma clearly isnt going to work with our security restrictions, might try again when 1.2.1 or whatever is released.
Thanks
 

On Thu, Jul 21, 2016 at 3:58 PM, A.L.E.C <[hidden email]> wrote:
On 07/21/2016 07:02 AM, Nick Edwards wrote:
> After sorting out proc_open but changing to suhosin blacklist instead
> native php disable, things progressed, however
> just wiped out the config and used fresh, with and without
> $rcmail_config or $config...  I clearly have wrong option idea for the
> path to it as roundcube error now says binary not found, is
> $config['enigma_pgp_binary'] = 'path/file'; actually the right entry to use?

Yes, are you using git-master version? The option does not exist in 1.2.0.

>     [Thu Jul 21 13:44:54.093373 2016] [:error] [pid 6431:tid 2843577200]
>     [client ] PHP Fatal error:  Call to undefined method
>     Crypt_GPG_SubKey::usage() in

You need more recent Crypt_GPG package.

--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer        [http://kolab.org]
Roundcube Webmail Developer  [http://roundcube.net]
---------------------------------------------------
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users


_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: enigma binary

Roberto Puzzanghera
In reply to this post by Nick Edwards
Il 2016-07-21 05:52 Nick Edwards ha scritto:
[...]

> [Thu Jul 21 13:44:54.093373 2016] [:error] [pid 6431:tid 2843577200]
> [client ] PHP Fatal error:  Call to undefined method
> Crypt_GPG_SubKey::usage() in
> /opt/webmail/plugins/enigma/lib/enigma_driver_gnupg.php on line 437,
> referer:
> https://xxxxxxxxxxxxxx/?_task=settings&_action=plugin.enigmakeys

I got the exact same error a few days ago. It appears that roundcube
resets the php's "default include_path" variable, so installing
Crypt_GPG via Pear in the php/lib dir doesn't help. Manually downlading
the library in the enigma/lib dir solved for me.
I also dropped a note about this and enigma's configuration here
http://notes.sagredo.eu/node/35#enigma

regards
Roberto
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: enigma binary

soumitri@iitk.ac.in

Hello,

I am getting following error in browser console when sending an encrypted message.

==============================

ReferenceError: PublicKey is not defined
rcube_webmail/this.mailvelope_search_pubkeys()
 app.min.js:161
rcube_webmail.prototype.enigma_find_publickey()
 enigma.js:547
rcube_webmail.prototype.enigma_key_not_found/<.click()
 enigma.js:537
._createButtons/</a.click()
 jquery-ui-1.10.4.custom.min.js:37
n.event.dispatch()
 jquery.min.js:35
n.event.add/r.handle()
 jquery.min.js:35

==================================


enigma debug log

==================

[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: USING GPG 2.0.22 with PHP 5.4.16
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: OPENING GPG-AGENT SUBPROCESS WITH THE FOLLOWING COMMAND:
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: /usr/bin/gpg-agent --daemon --options /dev/null --csh --keep-display --no-grab --ignore-cache-for-signing --pinentry-touch-file /dev/null --disable-scdaemon --no-use-standard-socket --pinentry-program '/var/www/html/plugins/enigma/lib/Crypt_GPG-1.4.2/Crypt/GPG/../../scripts/crypt-gpg-pinentry' --homedir '/var/www/enigma/home/soumitri'
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: CLOSING GPG-AGENT LAUNCH PROCESS
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: GPG-AGENT LAUNCH PROCESS CLOSED
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: OPENING GPG SUBPROCESS WITH THE FOLLOWING COMMAND:
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: /usr/bin/gpg --status-fd '3' --command-fd '4' --no-secmem-warning --no-tty --no-default-keyring --no-options --no-permission-warning --exit-on-status-write-error --trust-model always --with-colons --with-fingerprint --with-fingerprint --fixed-list-mode --homedir '/var/www/enigma/home/soumitri' --list-public-keys '[hidden email]'
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: BEGIN PROCESSING
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: selecting streams
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: => got 3
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: GPG output stream ready for reading
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: => about to read 65536 bytes from GPG output
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: => read 658 bytes
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: GPG error stream ready for reading
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: => about to read 65536 bytes from GPG error
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: => read 0 bytes
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: GPG status stream ready for reading
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: => about to read 65536 bytes from GPG status
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: => read 0 bytes
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: selecting streams
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: => got 1
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: GPG output stream ready for reading
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: => about to read 65536 bytes from GPG output
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: => read 0 bytes
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: END PROCESSING
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: CLOSING GPG SUBPROCESS
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: STOPPING GPG-AGENT DAEMON
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: GPG-AGENT DAEMON STOPPED

===========================

OS: centos7.2, RC version: 1.2.0

I am not getting any other error in error log.

Thanks for any suggestion.

Regards,

Soumitri Mishra,

On Thursday 21 July 2016 07:01 PM, Roberto Puzzanghera wrote:

I got the exact same error a few days ago. It appears that roundcube resets the php's "default include_path" variable, so installing Crypt_GPG via Pear in the php/lib dir doesn't help. Manually downlading the library in the enigma/lib dir solved for me.
I also dropped a note about this and enigma's configuration here http://notes.sagredo.eu/node/35#enigma




_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: enigma binary

A.L.E.C
On 07/22/2016 08:32 AM, [hidden email] wrote:

> ReferenceError: PublicKey is not defined

PublicKey is defined in publickey.js

> OS: centos7.2, RC version: 1.2.0

No, you don't. Key server support was added in master only. I assume you
applied some commits from master to 1.2.0, which require some other
changes you missed.

--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer        [http://kolab.org]
Roundcube Webmail Developer  [http://roundcube.net]
---------------------------------------------------
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Loading...